Researchers Discover Critical Steam Vulnerability

This isn't exactly what anyone wants to hear, but it is what it is. Security research firm ReVuln have discovered a new vulnerability with Valve's Steam software, in that an attacker can abuse certain protocols to trick a user into opening malicious URLs. Whenever Steam is installed on a system, it registers itself as a steam:// URL protocol handler. Anytime someone clicks on a steam:// URL in a browser or chat program, that URL is sent along to the Steam client for execution. Those URLs can tell a game to install or uninstall, download updates, backup files, start games, and more. It is those commands an attacker can exploit, especially since some browsers do not ask a user for confirmation before handling the steam:// URL.

ReVuln states Internet Explorer 9, Google Chrome, and Opera all show a warning and display the URL, while Mozilla Firefox just has the warning. Safari does neither of those things, and simply executes the command. According to ReVuln:

All the browsers that execute external URL handlers directly without warnings and those based on the Mozilla engine (like Firefox and SeaMonkey) are a perfect vector to perform silent Steam Browser Protocol calls. Additionally for browsers like Internet Explorer and Opera it’s still possible to hide the dodgy part of the URL from being shown in the warning message by adding several spaces into the steam:// URL itself.

The browsers that do require user confirmation can have those automatically go through if that setting was changed. Removing an annoying confirmation screen is something many people do, I'm sure, so that warning system would no longer be present. Attackers can also use Javascript code on malicious websites to redirect browsers to the URLs. Certain Steam games, like Source engine ones, can be targeted as well, provided you have them installed. ReVuln posted a video, seen here, showing off what attackers can do with these vulnerabilities. The firm recommends users disable the steam:// URL protocols to better protect themselves or switch to a browser that automatically asks for confirmation. Mac OSX users with Safari are more exposed to the attacks, so Steam gamers with a Mac should be extra careful.

Valve has not commented on this report, but hopefully it issues a statement and patch shortly to correct it.